Lawmakers have been under intense pressure to draft laws that better protect consumers following the data breach at Equifax, which affected nearly 148 million people in the U.S. as well as consumers in Canada and the U.K. (see Equifax Discloses 2.4 Million More Mega-Breach Victims).

In 42 states, credit bureaus are allowed to charge for freezing a record if the person has not been a victim of identity theft. The fees range from $3 to $10.

Experts generally recommend credit freezes, particularly with the growth in identity theft. Once a freeze is in place, a company cannot request the credit record unless a person unfreezes the record.

A freeze is particularly important because consumers aren't usually notified when someone requests their credit record unless they've signed up for services.

That's advantageous for identity thieves, who exploit the gap in between when they fraudulently apply for services and the time it takes for consumers to figure out they're victims. Federal law allows for someone to request a free credit report from credit bureaus, but it's limited to one per year.

For the most complete protection, consumers need to place freezes at several large credit bureaus, such as Equifax, Experian, TransUnion and Innovis. Businesses may use one or more of those credit bureaus to check records.

Backed by Consumers Rights Groups

Consumer protection groups have long argued that charging for a freeze is unfair. Credit bureaus collect sensitive consumer data without consumers' consent and profit from it, they contend.

The U.S. Public Interest Research Group is one of those groups. In a blog post Wednesday, the group says "consumers shouldn't have to pay to protect themselves from a problem they didn't create."

"A credit freeze with all three major credit bureaus remains the best action consumers can take after the Equifax hack, whether they were affected or not," writes Mike Litt, director of PIRG's Campaign to Defend the Consumer Bureau.

Credit Industry Opposition

But an industry trade group, the Consumer Data Industry Association, has a different view of the utility of a credit freeze, according to the associations's president and CEO, Francis Creighton, who testified on Wednesday before the House Subcommittee on Financial Institutions and Consumer Credit.

In his written testimony, Creighton contends that credit freezes "should not be the first line of defense in identity protection," but rather that consumers should consult a free, annual credit report.

"Credit freezes are required by law in every state and are a final line of defense for consumers who are chronically victims of identity theft or who do not plan to be credit active or active in various other commercial situations," Creighton says.

Creighton told The Wall Street Journal on Thursday: "We think it's fair that we're able to charge a fee on a freeze. Given that [policy makers] don't agree with us, this bill is perfectly reasonable."

Free, Fast Freeze

Credit freezes do carry some inconveniences for consumers. The freeze has to be lifted temporarily if someone applies for credit, and then the record has to be refrozen. Also, under most current laws, credit bureaus may charge another fee to temporarily lift a freeze.

The Senate bill, S.2155, would ban all such fees. Credit bureaus would be required to implement a freeze within a day unless contacted by mail, in which case the requirement would be three days. Within five days, credit bureaus would have to confirm the placement of a freeze along with the requirements for lifting the freeze.

The bill also allows for another type of free service. Rather than a security freeze, consumers could place an extended fraud alert on their account that lasts a year. If a business wants to check someone's credit, upon seeing the alert, it would have to then take steps to verify the person's identity. Those who have already been victims of identity theft would be entitled to a fraud alert that lasts for seven years.

The Senate is due to vote on the bill, which contains a large package of other regulatory changes for the banking industry, next week.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.